Merge pull request #2644 from lethalman/pam_tally

pam: Add logFailures option for adding pam_tally to su
This commit is contained in:
Michael Raskin 2014-09-02 00:58:30 +04:00
commit 419031bcfc
2 changed files with 9 additions and 1 deletions

View File

@ -83,7 +83,7 @@ in
security.pam.services =
{ chsh = { rootOK = true; };
chfn = { rootOK = true; };
su = { rootOK = true; forwardXAuth = true; };
su = { rootOK = true; forwardXAuth = true; logFailures = true; };
passwd = {};
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it

View File

@ -142,6 +142,12 @@ let
description = "Whether to update <filename>/var/log/wtmp</filename>.";
};
logFailures = mkOption {
default = false;
type = types.bool;
description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>.";
};
text = mkOption {
type = types.nullOr types.lines;
description = "Contents of the PAM service file.";
@ -169,6 +175,8 @@ let
# Authentication management.
${optionalString cfg.rootOK
"auth sufficient pam_rootok.so"}
${optionalString cfg.logFailures
"auth required pam_tally.so"}
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
${optionalString cfg.usbAuth